The following issues were found
tools/testing/selftests/tc-testing/tdc_helper.py
10 issues
Line: 13
Column: 53
testcases = dict()
for category in ucat:
testcases[category] = list(filter(lambda x: category in x['category'], alltests))
return(testcases)
def get_unique_item(lst):
Reported by Pylint.
Line: 15
Column: 1
for category in ucat:
testcases[category] = list(filter(lambda x: category in x['category'], alltests))
return(testcases)
def get_unique_item(lst):
""" For a list, return a list of the unique items in the list. """
if len(lst) > 1:
Reported by Pylint.
Line: 20
Column: 5
def get_unique_item(lst):
""" For a list, return a list of the unique items in the list. """
if len(lst) > 1:
return list(set(lst))
else:
return lst
Reported by Pylint.
Line: 29
Column: 9
def get_test_categories(alltests):
""" Discover all unique test categories present in the test case file. """
ucat = []
for t in alltests:
ucat.extend(get_unique_item(t['category']))
ucat = get_unique_item(ucat)
return ucat
def list_test_cases(testlist):
Reported by Pylint.
Line: 50
Column: 9
def print_list(cmdlist):
""" Print a list of strings prepended with a tab. """
for l in cmdlist:
if (type(l) == list):
print("\t" + str(l[0]))
else:
print("\t" + str(l))
Reported by Pylint.
Line: 51
Column: 1
def print_list(cmdlist):
""" Print a list of strings prepended with a tab. """
for l in cmdlist:
if (type(l) == list):
print("\t" + str(l[0]))
else:
print("\t" + str(l))
Reported by Pylint.
Line: 51
Column: 13
def print_list(cmdlist):
""" Print a list of strings prepended with a tab. """
for l in cmdlist:
if (type(l) == list):
print("\t" + str(l[0]))
else:
print("\t" + str(l))
Reported by Pylint.
Line: 57
Column: 1
print("\t" + str(l))
def print_sll(items):
print("\n".join(str(s) for s in items))
def print_test_case(tcase):
""" Pretty-printing of a given test case. """
Reported by Pylint.
Line: 65
Column: 1
""" Pretty-printing of a given test case. """
print('\n==============\nTest {}\t{}\n'.format(tcase['id'], tcase['name']))
for k in tcase.keys():
if (isinstance(tcase[k], list)):
print(k + ":")
print_list(tcase[k])
else:
if not ((k == 'id') or (k == 'name')):
print(k + ": " + str(tcase[k]))
Reported by Pylint.
Line: 69
Column: 21
print(k + ":")
print_list(tcase[k])
else:
if not ((k == 'id') or (k == 'name')):
print(k + ": " + str(tcase[k]))
Reported by Pylint.
tools/usb/ffs-aio-example/multibuff/device_app/aio_multibuff.c
10 issues
Line: 320
CWE codes:
908
handle_ep0(ep0, &ready);
/* we are waiting for function ENABLE */
if (!ready)
continue;
/*
* when we're preparing new data to submit,
* second buffer being transmitted
Reported by Cppcheck.
Line: 263
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
/* open endpoint files */
sprintf(ep_path, "%s/ep0", argv[1]);
ep0 = open(ep_path, O_RDWR);
if (ep0 < 0) {
perror("unable to open ep0");
return 1;
}
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
perror("unable to write strings");
return 1;
}
sprintf(ep_path, "%s/ep1", argv[1]);
ep1 = open(ep_path, O_RDWR);
if (ep1 < 0) {
perror("unable to open ep1");
return 1;
}
Reported by FlawFinder.
Line: 126
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_functionfs_strings_head header;
struct {
__le16 code;
const char str1[sizeof(STR_INTERFACE)];
} __attribute__ ((__packed__)) lang0;
} __attribute__ ((__packed__)) strings = {
.header = {
.magic = htole32(FUNCTIONFS_STRINGS_MAGIC),
.length = htole32(sizeof(strings)),
Reported by FlawFinder.
Line: 264
Column: 8
CWE codes:
362
/* open endpoint files */
sprintf(ep_path, "%s/ep0", argv[1]);
ep0 = open(ep_path, O_RDWR);
if (ep0 < 0) {
perror("unable to open ep0");
return 1;
}
if (write(ep0, &descriptors, sizeof(descriptors)) < 0) {
Reported by FlawFinder.
Line: 278
Column: 8
CWE codes:
362
return 1;
}
sprintf(ep_path, "%s/ep1", argv[1]);
ep1 = open(ep_path, O_RDWR);
if (ep1 < 0) {
perror("unable to open ep1");
return 1;
}
Reported by FlawFinder.
Line: 181
Column: 8
CWE codes:
120
20
int ret;
struct usb_functionfs_event event;
ret = read(ep0, &event, sizeof(event));
if (!ret) {
perror("unable to read event from ep0");
return;
}
display_event(&event);
Reported by FlawFinder.
Line: 256
Column: 19
CWE codes:
126
return 1;
}
ep_path = malloc(strlen(argv[1]) + 4 /* "/ep#" */ + 1 /* '\0' */);
if (!ep_path) {
perror("malloc");
return 1;
}
Reported by FlawFinder.
tools/thermal/tmon/tui.c
10 issues
Line: 48
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static WINDOW *thermal_data_window;
static WINDOW *dialogue_window;
char status_bar_slots[10][40];
static void draw_hbar(WINDOW *win, int y, int start, int len,
unsigned long pattern, bool end);
static int maxx, maxy;
static int maxwidth = 200;
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
maxwidth = maxx - 18;
status_bar_window = subwin(stdscr, 1, maxx, maxy-1, 0);
strcpy(status_bar_slots[0], " Ctrl-c - Quit ");
strcpy(status_bar_slots[1], " TAB - Tuning ");
wmove(status_bar_window, 1, 30);
/* prepare panels for dialogue, if panel already created then we must
* be doing resizing, so just replace windows with new ones, old ones
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
status_bar_window = subwin(stdscr, 1, maxx, maxy-1, 0);
strcpy(status_bar_slots[0], " Ctrl-c - Quit ");
strcpy(status_bar_slots[1], " TAB - Tuning ");
wmove(status_bar_window, 1, 30);
/* prepare panels for dialogue, if panel already created then we must
* be doing resizing, so just replace windows with new ones, old ones
* should have been deleted by close_window
Reported by FlawFinder.
Line: 408
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void handle_input_val(int ch)
{
char buf[32];
int val;
char path[256];
WINDOW *w = dialogue_window;
echo();
Reported by FlawFinder.
Line: 410
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char buf[32];
int val;
char path[256];
WINDOW *w = dialogue_window;
echo();
keypad(w, TRUE);
wgetnstr(w, buf, 31);
Reported by FlawFinder.
Line: 416
Column: 8
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
echo();
keypad(w, TRUE);
wgetnstr(w, buf, 31);
val = atoi(buf);
if (ch == ptdata.nr_cooling_dev) {
snprintf(buf, 31, "Invalid Temp %d! %d-%d", val,
MIN_CTRL_TEMP, MAX_CTRL_TEMP);
if (val < MIN_CTRL_TEMP || val > MAX_CTRL_TEMP)
Reported by FlawFinder.
Line: 444
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void handle_input_choice(int ch)
{
char buf[48];
int base = 0;
int cdev_id = 0;
if ((ch >= 'A' && ch <= 'A' + ptdata.nr_cooling_dev) ||
(ch >= 'a' && ch <= 'a' + ptdata.nr_cooling_dev)) {
Reported by FlawFinder.
Line: 604
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void show_sensors_w(void)
{
int i, j;
char buffer[512];
if (tui_disabled || !tz_sensor_window)
return;
werase(tz_sensor_window);
Reported by FlawFinder.
Line: 396
Column: 7
CWE codes:
126
werase(status_bar_window);
for (i = 0; i < 10; i++) {
if (strlen(status_bar_slots[i]) == 0)
continue;
wattron(status_bar_window, A_REVERSE);
mvwprintw(status_bar_window, 0, x, "%s", status_bar_slots[i]);
wattroff(status_bar_window, A_REVERSE);
x += strlen(status_bar_slots[i]) + 1;
Reported by FlawFinder.
Line: 401
Column: 8
CWE codes:
126
wattron(status_bar_window, A_REVERSE);
mvwprintw(status_bar_window, 0, x, "%s", status_bar_slots[i]);
wattroff(status_bar_window, A_REVERSE);
x += strlen(status_bar_slots[i]) + 1;
}
wrefresh(status_bar_window);
}
static void handle_input_val(int ch)
Reported by FlawFinder.
tools/usb/ffs-aio-example/simple/device_app/aio_simple.c
10 issues
Line: 297
CWE codes:
908
handle_ep0(ep0, &ready);
/* we are waiting for function ENABLE */
if (!ready)
continue;
/* if something was submitted we wait for event */
if (FD_ISSET(evfd, &rfds)) {
uint64_t ev_cnt;
Reported by Cppcheck.
Line: 234
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
/* open endpoint files */
sprintf(ep_path, "%s/ep0", argv[1]);
ep0 = open(ep_path, O_RDWR);
if (ep0 < 0) {
perror("unable to open ep0");
return 1;
}
Reported by FlawFinder.
Line: 249
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return 1;
}
for (i = 0; i < 2; ++i) {
sprintf(ep_path, "%s/ep%d", argv[1], i+1);
ep[i] = open(ep_path, O_RDWR);
if (ep[i] < 0) {
printf("unable to open ep%d: %s\n", i+1,
strerror(errno));
return 1;
Reported by FlawFinder.
Line: 124
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_functionfs_strings_head header;
struct {
__le16 code;
const char str1[sizeof(STR_INTERFACE)];
} __attribute__ ((__packed__)) lang0;
} __attribute__ ((__packed__)) strings = {
.header = {
.magic = htole32(FUNCTIONFS_STRINGS_MAGIC),
.length = htole32(sizeof(strings)),
Reported by FlawFinder.
Line: 235
Column: 8
CWE codes:
362
/* open endpoint files */
sprintf(ep_path, "%s/ep0", argv[1]);
ep0 = open(ep_path, O_RDWR);
if (ep0 < 0) {
perror("unable to open ep0");
return 1;
}
if (write(ep0, &descriptors, sizeof(descriptors)) < 0) {
Reported by FlawFinder.
Line: 250
Column: 11
CWE codes:
362
}
for (i = 0; i < 2; ++i) {
sprintf(ep_path, "%s/ep%d", argv[1], i+1);
ep[i] = open(ep_path, O_RDWR);
if (ep[i] < 0) {
printf("unable to open ep%d: %s\n", i+1,
strerror(errno));
return 1;
}
Reported by FlawFinder.
Line: 176
Column: 9
CWE codes:
120
20
ret = poll(pfds, 1, 0);
if (ret && (pfds[0].revents & POLLIN)) {
ret = read(ep0, &event, sizeof(event));
if (!ret) {
perror("unable to read event from ep0");
return;
}
display_event(&event);
Reported by FlawFinder.
Line: 227
Column: 19
CWE codes:
126
return 1;
}
ep_path = malloc(strlen(argv[1]) + 4 /* "/ep#" */ + 1 /* '\0' */);
if (!ep_path) {
perror("malloc");
return 1;
}
Reported by FlawFinder.
Line: 303
Column: 10
CWE codes:
120
20
/* if something was submitted we wait for event */
if (FD_ISSET(evfd, &rfds)) {
uint64_t ev_cnt;
ret = read(evfd, &ev_cnt, sizeof(ev_cnt));
if (ret < 0) {
perror("unable to read eventfd");
break;
}
Reported by FlawFinder.
drivers/counter/104-quad-8.c
10 issues
Line: 567
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
quad8_direction_get(counter, count, &dir);
return sprintf(buf, "%s\n", counter_count_direction_str[dir]);
}
static ssize_t quad8_count_enable_read(struct counter_device *counter,
struct counter_count *count, void *private, char *buf)
{
Reported by FlawFinder.
Line: 484
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct counter_count *count, void *private, char *buf)
{
/* Only a floor of 0 is supported */
return sprintf(buf, "0\n");
}
static int quad8_count_mode_get(struct counter_device *counter,
struct counter_count *count, size_t *cnt_mode)
{
Reported by FlawFinder.
Line: 575
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct quad8 *const priv = counter->priv;
return sprintf(buf, "%u\n", priv->ab_enable[count->id]);
}
static ssize_t quad8_count_enable_write(struct counter_device *counter,
struct counter_count *count, void *private, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 632
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct quad8 *const priv = counter->priv;
return sprintf(buf, "%u\n", priv->preset[count->id]);
}
static void quad8_preset_register_set(struct quad8 *const priv, const int id,
const unsigned int preset)
{
Reported by FlawFinder.
Line: 687
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case 1:
case 3:
mutex_unlock(&priv->lock);
return sprintf(buf, "%u\n", priv->preset[count->id]);
}
mutex_unlock(&priv->lock);
/* By default 0x1FFFFFF (25 bits unsigned) is maximum count */
Reported by FlawFinder.
Line: 693
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&priv->lock);
/* By default 0x1FFFFFF (25 bits unsigned) is maximum count */
return sprintf(buf, "33554431\n");
}
static ssize_t quad8_count_ceiling_write(struct counter_device *counter,
struct counter_count *count, void *private, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 731
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct quad8 *const priv = counter->priv;
return sprintf(buf, "%u\n", !priv->preset_enable[count->id]);
}
static ssize_t quad8_count_preset_enable_write(struct counter_device *counter,
struct counter_count *count, void *private, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 791
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Mask respective channel and invert logic */
fault = !(status & BIT(channel_id));
return sprintf(buf, "%u\n", fault);
}
static ssize_t quad8_signal_cable_fault_enable_read(
struct counter_device *counter, struct counter_signal *signal,
void *private, char *buf)
Reported by FlawFinder.
Line: 802
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const size_t channel_id = signal->id / 2;
const unsigned int enb = !!(priv->cable_fault_enable & BIT(channel_id));
return sprintf(buf, "%u\n", enb);
}
static ssize_t quad8_signal_cable_fault_enable_write(
struct counter_device *counter, struct counter_signal *signal,
void *private, const char *buf, size_t len)
Reported by FlawFinder.
Line: 842
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const struct quad8 *const priv = counter->priv;
const size_t channel_id = signal->id / 2;
return sprintf(buf, "%u\n", priv->fck_prescaler[channel_id]);
}
static ssize_t quad8_signal_fck_prescaler_write(struct counter_device *counter,
struct counter_signal *signal, void *private, const char *buf,
size_t len)
Reported by FlawFinder.
crypto/gcm.c
10 issues
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct scatterlist *sg;
memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE);
memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4);
sg_init_table(pctx->src, 3);
sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE);
memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4);
sg_init_table(pctx->src, 3);
sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
if (sg != pctx->src + 1)
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lengths.a = cpu_to_be64(req->assoclen * 8);
lengths.b = cpu_to_be64(gctx->cryptlen * 8);
memcpy(pctx->iauth_tag, &lengths, 16);
sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
ahash_request_set_crypt(ahreq, &pctx->sg,
pctx->iauth_tag, sizeof(lengths));
Reported by FlawFinder.
Line: 661
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
{
const char *cipher_name;
char ctr_name[CRYPTO_MAX_ALG_NAME];
cipher_name = crypto_attr_alg_name(tb[1]);
if (IS_ERR(cipher_name))
return PTR_ERR(cipher_name);
Reported by FlawFinder.
Line: 701
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
keylen -= 4;
memcpy(ctx->nonce, key + keylen, 4);
crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
CRYPTO_TFM_REQ_MASK);
return crypto_aead_setkey(child, key, keylen);
Reported by FlawFinder.
Line: 735
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0);
memcpy(iv, ctx->nonce, 4);
memcpy(iv + 4, req->iv, 8);
sg_init_table(rctx->src, 3);
sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
Reported by FlawFinder.
Line: 736
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0);
memcpy(iv, ctx->nonce, 4);
memcpy(iv + 4, req->iv, 8);
sg_init_table(rctx->src, 3);
sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
if (sg != rctx->src + 1)
Reported by FlawFinder.
Line: 909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
keylen -= 4;
memcpy(ctx->nonce, key + keylen, 4);
crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
CRYPTO_TFM_REQ_MASK);
return crypto_aead_setkey(child, key, keylen);
Reported by FlawFinder.
Line: 945
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
}
memcpy(iv, ctx->nonce, 4);
memcpy(iv + 4, req->iv, 8);
aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags,
req->base.complete, req->base.data);
Reported by FlawFinder.
Line: 946
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(iv, ctx->nonce, 4);
memcpy(iv + 4, req->iv, 8);
aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags,
req->base.complete, req->base.data);
aead_request_set_crypt(subreq, req->src, req->dst,
Reported by FlawFinder.
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
10 issues
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdcp_cmd->in_msg.hdcp1_first_part_authentication.session_handle = hdcp->auth.id;
memcpy(hdcp_cmd->in_msg.hdcp1_first_part_authentication.bksv_primary, hdcp->auth.msg.hdcp1.bksv,
TA_HDCP__HDCP1_KSV_SIZE);
hdcp_cmd->in_msg.hdcp1_first_part_authentication.r0_prime_primary = hdcp->auth.msg.hdcp1.r0p;
hdcp_cmd->in_msg.hdcp1_first_part_authentication.bcaps = hdcp->auth.msg.hdcp1.bcaps;
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP1_FIRST_PART_AUTHENTICATION;
Reported by FlawFinder.
Line: 402
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdcp_cmd->in_msg.hdcp1_second_part_authentication.session_handle = hdcp->auth.id;
hdcp_cmd->in_msg.hdcp1_second_part_authentication.ksv_list_size = hdcp->auth.msg.hdcp1.ksvlist_size;
memcpy(hdcp_cmd->in_msg.hdcp1_second_part_authentication.ksv_list, hdcp->auth.msg.hdcp1.ksvlist,
hdcp->auth.msg.hdcp1.ksvlist_size);
memcpy(hdcp_cmd->in_msg.hdcp1_second_part_authentication.v_prime, hdcp->auth.msg.hdcp1.vp,
sizeof(hdcp->auth.msg.hdcp1.vp));
Reported by FlawFinder.
Line: 405
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hdcp_cmd->in_msg.hdcp1_second_part_authentication.ksv_list, hdcp->auth.msg.hdcp1.ksvlist,
hdcp->auth.msg.hdcp1.ksvlist_size);
memcpy(hdcp_cmd->in_msg.hdcp1_second_part_authentication.v_prime, hdcp->auth.msg.hdcp1.vp,
sizeof(hdcp->auth.msg.hdcp1.vp));
hdcp_cmd->in_msg.hdcp1_second_part_authentication.bstatus_binfo =
is_dp_hdcp(hdcp) ? hdcp->auth.msg.hdcp1.binfo_dp : hdcp->auth.msg.hdcp1.bstatus;
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP1_SECOND_PART_AUTHENTICATION;
Reported by FlawFinder.
Line: 598
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdcp_cmd->hdcp_status != TA_HDCP_STATUS__SUCCESS)
status = MOD_HDCP_STATUS_HDCP2_PREP_AKE_INIT_FAILURE;
else
memcpy(&hdcp->auth.msg.hdcp2.ake_init[0], &msg_out->prepare.transmitter_message[0],
sizeof(hdcp->auth.msg.hdcp2.ake_init));
mutex_unlock(&psp->hdcp_context.mutex);
return status;
}
Reported by FlawFinder.
Line: 625
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_in->process.msg1_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__AKE_SEND_CERT;
msg_in->process.msg1_desc.msg_size = TA_HDCP_HDCP2_MSG_ID_MAX_SIZE__AKE_SEND_CERT;
memcpy(&msg_in->process.receiver_message[0], hdcp->auth.msg.hdcp2.ake_cert,
sizeof(hdcp->auth.msg.hdcp2.ake_cert));
msg_in->prepare.msg1_id = TA_HDCP_HDCP2_MSG_ID__AKE_NO_STORED_KM;
msg_in->prepare.msg2_id = TA_HDCP_HDCP2_MSG_ID__AKE_STORED_KM;
Reported by FlawFinder.
Line: 685
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_in->process.msg1_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__AKE_SEND_H_PRIME;
msg_in->process.msg1_desc.msg_size = TA_HDCP_HDCP2_MSG_ID_MAX_SIZE__AKE_SEND_H_PRIME;
memcpy(&msg_in->process.receiver_message[0], hdcp->auth.msg.hdcp2.ake_h_prime,
sizeof(hdcp->auth.msg.hdcp2.ake_h_prime));
if (!hdcp->connection.is_km_stored) {
msg_in->process.msg2_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__AKE_SEND_PAIRING_INFO;
msg_in->process.msg2_desc.msg_size = TA_HDCP_HDCP2_MSG_ID_MAX_SIZE__AKE_SEND_PAIRING_INFO;
Reported by FlawFinder.
Line: 691
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!hdcp->connection.is_km_stored) {
msg_in->process.msg2_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__AKE_SEND_PAIRING_INFO;
msg_in->process.msg2_desc.msg_size = TA_HDCP_HDCP2_MSG_ID_MAX_SIZE__AKE_SEND_PAIRING_INFO;
memcpy(&msg_in->process.receiver_message[sizeof(hdcp->auth.msg.hdcp2.ake_h_prime)],
hdcp->auth.msg.hdcp2.ake_pairing_info, sizeof(hdcp->auth.msg.hdcp2.ake_pairing_info));
}
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP2_PREPARE_PROCESS_AUTHENTICATION_MSG_V2;
Reported by FlawFinder.
Line: 764
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_in->process.msg1_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__LC_SEND_L_PRIME;
msg_in->process.msg1_desc.msg_size = TA_HDCP_HDCP2_MSG_ID_MAX_SIZE__LC_SEND_L_PRIME;
memcpy(&msg_in->process.receiver_message[0], hdcp->auth.msg.hdcp2.lc_l_prime,
sizeof(hdcp->auth.msg.hdcp2.lc_l_prime));
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP2_PREPARE_PROCESS_AUTHENTICATION_MSG_V2;
psp_hdcp_invoke(psp, hdcp_cmd->cmd_id);
Reported by FlawFinder.
Line: 875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_in->process.msg1_desc.msg_id = TA_HDCP_HDCP2_MSG_ID__REPEATERAUTH_SEND_RECEIVERID_LIST;
msg_in->process.msg1_desc.msg_size = sizeof(hdcp->auth.msg.hdcp2.rx_id_list);
memcpy(&msg_in->process.receiver_message[0], hdcp->auth.msg.hdcp2.rx_id_list,
sizeof(hdcp->auth.msg.hdcp2.rx_id_list));
msg_in->prepare.msg1_id = TA_HDCP_HDCP2_MSG_ID__REPEATERAUTH_SEND_ACK;
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP2_PREPARE_PROCESS_AUTHENTICATION_MSG_V2;
Reported by FlawFinder.
Line: 1009
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_in->process.msg1_desc.msg_size = sizeof(hdcp->auth.msg.hdcp2.repeater_auth_stream_ready);
memcpy(&msg_in->process.receiver_message[0], hdcp->auth.msg.hdcp2.repeater_auth_stream_ready,
sizeof(hdcp->auth.msg.hdcp2.repeater_auth_stream_ready));
hdcp_cmd->cmd_id = TA_HDCP_COMMAND__HDCP2_PREPARE_PROCESS_AUTHENTICATION_MSG_V2;
psp_hdcp_invoke(psp, hdcp_cmd->cmd_id);
Reported by FlawFinder.
drivers/gpu/drm/amd/display/dc/core/dc.c
10 issues
Line: 1790
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* initially copied into every context
*/
#ifdef CONFIG_DRM_AMD_DC_DCN
memcpy(&context->bw_ctx.dml, &dc->dml, sizeof(struct display_mode_lib));
#endif
}
struct dc_state *dc_create_state(struct dc *dc)
{
Reported by FlawFinder.
Line: 1816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new_ctx)
return NULL;
memcpy(new_ctx, src_ctx, sizeof(struct dc_state));
for (i = 0; i < MAX_PIPES; i++) {
struct pipe_ctx *cur_pipe = &new_ctx->res_ctx.pipe_ctx[i];
if (cur_pipe->top_pipe)
Reported by FlawFinder.
Line: 2342
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srf_update->gamma &&
(surface->gamma_correction !=
srf_update->gamma)) {
memcpy(&surface->gamma_correction->entries,
&srf_update->gamma->entries,
sizeof(struct dc_gamma_entries));
surface->gamma_correction->is_identity =
srf_update->gamma->is_identity;
surface->gamma_correction->num_entries =
Reported by FlawFinder.
Line: 2362
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
srf_update->in_transfer_func->tf;
surface->in_transfer_func->type =
srf_update->in_transfer_func->type;
memcpy(&surface->in_transfer_func->tf_pts,
&srf_update->in_transfer_func->tf_pts,
sizeof(struct dc_transfer_func_distributed_points));
}
if (srf_update->func_shaper &&
Reported by FlawFinder.
Line: 2370
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srf_update->func_shaper &&
(surface->in_shaper_func !=
srf_update->func_shaper))
memcpy(surface->in_shaper_func, srf_update->func_shaper,
sizeof(*surface->in_shaper_func));
if (srf_update->lut3d_func &&
(surface->lut3d_func !=
srf_update->lut3d_func))
Reported by FlawFinder.
Line: 2376
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srf_update->lut3d_func &&
(surface->lut3d_func !=
srf_update->lut3d_func))
memcpy(surface->lut3d_func, srf_update->lut3d_func,
sizeof(*surface->lut3d_func));
if (srf_update->hdr_mult.value)
surface->hdr_mult =
srf_update->hdr_mult;
Reported by FlawFinder.
Line: 2386
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srf_update->blend_tf &&
(surface->blend_tf !=
srf_update->blend_tf))
memcpy(surface->blend_tf, srf_update->blend_tf,
sizeof(*surface->blend_tf));
if (srf_update->input_csc_color_matrix)
surface->input_csc_color_matrix =
*srf_update->input_csc_color_matrix;
Reported by FlawFinder.
Line: 2425
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
stream->out_transfer_func->tf = update->out_transfer_func->tf;
stream->out_transfer_func->type =
update->out_transfer_func->type;
memcpy(&stream->out_transfer_func->tf_pts,
&update->out_transfer_func->tf_pts,
sizeof(struct dc_transfer_func_distributed_points));
}
if (update->hdr_static_metadata)
Reported by FlawFinder.
Line: 3122
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Preserve refcount */
refcount = dc->current_state->refcount;
/* Preserve display mode lib */
memcpy(dml, &dc->current_state->bw_ctx.dml, sizeof(struct display_mode_lib));
dc_resource_state_destruct(dc->current_state);
memset(dc->current_state, 0,
sizeof(*dc->current_state));
Reported by FlawFinder.
Line: 3471
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd.dp_aux_access.aux_control.dpaux.action = action;
if (payload->length && payload->write) {
memcpy(cmd.dp_aux_access.aux_control.dpaux.data,
payload->data,
payload->length
);
}
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
10 issues
Line: 962
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v8_0_init_microcode(struct amdgpu_device *adev)
{
const char *chip_name;
char fw_name[30];
int err;
struct amdgpu_firmware_info *info = NULL;
const struct common_firmware_header *header = NULL;
const struct gfx_firmware_header_v1_0 *cp_hdr;
const struct rlc_firmware_header_v2_0 *rlc_hdr;
Reported by FlawFinder.
Line: 1921
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring->doorbell_index = adev->doorbell_index.mec_ring0 + ring_id;
ring->eop_gpu_addr = adev->gfx.mec.hpd_eop_gpu_addr
+ (ring_id * GFX8_MEC_HPD_SIZE);
sprintf(ring->name, "comp_%d.%d.%d", ring->me, ring->pipe, ring->queue);
irq_type = AMDGPU_CP_IRQ_COMPUTE_MEC1_PIPE0_EOP
+ ((ring->me - 1) * adev->gfx.mec.num_pipe_per_mec)
+ ring->pipe;
Reported by FlawFinder.
Line: 2027
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adev->gfx.num_gfx_rings; i++) {
ring = &adev->gfx.gfx_ring[i];
ring->ring_obj = NULL;
sprintf(ring->name, "gfx");
/* no gfx doorbells on iceland */
if (adev->asic_type != CHIP_TOPAZ) {
ring->use_doorbell = true;
ring->doorbell_index = adev->doorbell_index.gfx_ring0;
}
Reported by FlawFinder.
Line: 4648
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (amdgpu_in_reset(adev)) { /* for GPU_RESET case */
/* reset MQD to a clean status */
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct vi_mqd_allocation));
/* reset ring buffer */
ring->wptr = 0;
amdgpu_ring_clear_ring(ring);
mutex_lock(&adev->srbm_mutex);
Reported by FlawFinder.
Line: 4670
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&adev->srbm_mutex);
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(adev->gfx.mec.mqd_backup[mqd_idx], mqd, sizeof(struct vi_mqd_allocation));
}
return 0;
}
Reported by FlawFinder.
Line: 4693
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&adev->srbm_mutex);
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(adev->gfx.mec.mqd_backup[mqd_idx], mqd, sizeof(struct vi_mqd_allocation));
} else if (amdgpu_in_reset(adev)) { /* for GPU_RESET case */
/* reset MQD to a clean status */
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct vi_mqd_allocation));
/* reset ring buffer */
Reported by FlawFinder.
Line: 4697
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (amdgpu_in_reset(adev)) { /* for GPU_RESET case */
/* reset MQD to a clean status */
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct vi_mqd_allocation));
/* reset ring buffer */
ring->wptr = 0;
amdgpu_ring_clear_ring(ring);
} else {
amdgpu_ring_clear_ring(ring);
Reported by FlawFinder.
Line: 6725
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool from_wq)
{
u32 enc, se_id, sh_id, cu_id;
char type[20];
int sq_edc_source = -1;
enc = REG_GET_FIELD(ih_data, SQ_INTERRUPT_WORD_CMN, ENCODING);
se_id = REG_GET_FIELD(ih_data, SQ_INTERRUPT_WORD_CMN, SE_ID);
Reported by FlawFinder.
Line: 6771
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (enc == 1)
sprintf(type, "instruction intr");
else
sprintf(type, "EDC/ECC error");
DRM_INFO(
"SQ %s detected: "
Reported by FlawFinder.
Line: 6773
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (enc == 1)
sprintf(type, "instruction intr");
else
sprintf(type, "EDC/ECC error");
DRM_INFO(
"SQ %s detected: "
"se_id %d, sh_id %d, cu_id %d, simd_id %d, wave_id %d, vm_id %d "
"trap %s, sq_ed_info.source %s.\n",
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
10 issues
Line: 380
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(psp->cmd_buf_mem, 0, PSP_CMD_BUFFER_SIZE);
memcpy(psp->cmd_buf_mem, cmd, sizeof(struct psp_gfx_cmd_resp));
index = atomic_inc_return(&psp->fence_value);
ret = psp_ring_cmd_submit(psp, psp->cmd_buf_mc_addr, fence_mc_addr, index);
if (ret) {
atomic_dec(&psp->fence_value);
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skip_unsupport = (psp->cmd_buf_mem->resp.status == TEE_ERROR_NOT_SUPPORTED ||
psp->cmd_buf_mem->resp.status == PSP_ERR_UNKNOWN_COMMAND) && amdgpu_sriov_vf(psp->adev);
memcpy((void*)&cmd->resp, (void*)&psp->cmd_buf_mem->resp, sizeof(struct psp_gfx_resp));
/* In some cases, psp response status is not 0 even there is no
* problem while the command is submitted. Some version of PSP FW
* doesn't write 0 to that field.
* So here we would like to only print a warning instead of an error
Reported by FlawFinder.
Line: 698
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
memset(psp->fw_pri_buf, 0, PSP_1_MEG);
memcpy(psp->fw_pri_buf, psp->rl_start_addr, psp->rl_bin_size);
memset(cmd, 0, sizeof(struct psp_gfx_cmd_resp));
cmd->cmd_id = GFX_CMD_ID_LOAD_IP_FW;
cmd->cmd.cmd_load_ip_fw.fw_phy_addr_lo = lower_32_bits(psp->fw_pri_mc_addr);
Reported by FlawFinder.
Line: 1925
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
memset(psp->fw_pri_buf, 0, PSP_1_MEG);
memcpy(psp->fw_pri_buf, psp->ta_securedisplay_start_addr, psp->ta_securedisplay_ucode_size);
psp_prep_ta_load_cmd_buf(cmd,
psp->fw_pri_mc_addr,
psp->ta_securedisplay_ucode_size,
psp->securedisplay_context.securedisplay_shared_mc_addr,
Reported by FlawFinder.
Line: 2885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *chip_name)
{
struct amdgpu_device *adev = psp->adev;
char fw_name[PSP_FW_NAME_LEN];
const struct psp_firmware_header_v1_0 *asd_hdr;
int err = 0;
if (!chip_name) {
dev_err(adev->dev, "invalid chip name for asd microcode\n");
Reported by FlawFinder.
Line: 2921
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *chip_name)
{
struct amdgpu_device *adev = psp->adev;
char fw_name[30];
const struct psp_firmware_header_v1_0 *toc_hdr;
int err = 0;
if (!chip_name) {
dev_err(adev->dev, "invalid chip name for toc microcode\n");
Reported by FlawFinder.
Line: 3001
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *chip_name)
{
struct amdgpu_device *adev = psp->adev;
char fw_name[PSP_FW_NAME_LEN];
const struct psp_firmware_header_v1_0 *sos_hdr;
const struct psp_firmware_header_v1_1 *sos_hdr_v1_1;
const struct psp_firmware_header_v1_2 *sos_hdr_v1_2;
const struct psp_firmware_header_v1_3 *sos_hdr_v1_3;
int err = 0;
Reported by FlawFinder.
Line: 3144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *chip_name)
{
struct amdgpu_device *adev = psp->adev;
char fw_name[PSP_FW_NAME_LEN];
const struct ta_firmware_header_v2_0 *ta_hdr;
int err = 0;
int ta_index = 0;
if (!chip_name) {
Reported by FlawFinder.
Line: 3241
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *cpu_addr;
dma_addr_t dma_addr;
int ret, idx;
char fw_name[100];
const struct firmware *usbc_pd_fw;
if (!adev->ip_blocks[AMD_IP_BLOCK_TYPE_PSP].status.late_initialized) {
DRM_INFO("PSP block is not ready yet.");
return -EBUSY;
Reported by FlawFinder.
Line: 3301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
memset(psp->fw_pri_buf, 0, PSP_1_MEG);
memcpy(psp->fw_pri_buf, start_addr, bin_size);
drm_dev_exit(idx);
}
static DEVICE_ATTR(usbc_pd_fw, S_IRUGO | S_IWUSR,
Reported by FlawFinder.